CVE-2022-26925
Published: 10 May 2022
Summary
CVE-2022-26925 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 8.1 (High).
Operationally, ranked in the top 2.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-9 (Service Identification and Authentication).
Deeper analysis
Windows LSA Spoofing Vulnerability CVE-2022-26925 affects the Local Security Authority component in Windows and carries a CVSS 3.1 base score of 8.1. The weakness is categorized under CWE-306 and permits an unauthenticated network attacker to spoof LSA communications under conditions of high attack complexity.
An attacker positioned on the network can exploit the flaw without credentials or user interaction to achieve high impact on confidentiality, integrity, and availability, effectively allowing impersonation of privileged security functions that the LSA performs.
Microsoft security advisories at the listed MSRC URLs detail available patches and configuration guidance, while CISA lists the CVE in its Known Exploited Vulnerabilities catalog, indicating that federal agencies must apply mitigations according to the published timelines.
The EPSS score rose sharply from a low baseline after disclosure to a peak of 0.9742 on 2023-04-22 before receding to the current value of 0.3743, demonstrating that exploitation interest increased substantially months after the initial release.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-31470
Vulnerability details
Windows LSA Spoofing Vulnerability
- CWE(s)
- KEV Date Added
- 01 July 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authentication on LSA functions so an unauthenticated attacker cannot spoof communications to obtain elevated access.
Requires identification and authentication of services before LSA accepts or acts on their communications, blocking the spoofing vector.
Protects the integrity of LSA network communications, preventing the spoofing that leads to confidentiality/integrity/availability compromise.